Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Josh Wright who normally teaches the SECURITY 509: Securing Oracle that I wrote for SANS has written a useful tool called hashattack. This is a set of simple scripts that pre-computes the password hashes for a particular Oracle user such as SYS or SYSTEM. The scripts use a dictionary (you can provide your own) to pre-compute the hashes for a large list of possible passwords. You then can use the database table of password/hash combinations to check if the current password is set to a dictionary word. The list can then be used to check the password for the same user in any number of databases. So whilst it is time consuming to create the hash list once created it can be re0used to great effect.

PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database,
design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.